Scan System for Implants Installed by CIA

Since WikiLeaks published the Vault 7 documents taken from the CIA, companies mentioned in the publications have busily updated their flaws to give users peace of mind.

The published documents of more than eight thousand, list many tech companies. Apple, one of the mentioned, says the hacking techniques in the released documents have been updated with security patches. Apple have also announced that as new vulnerabilities arise, they will be updated accordingly, on a high priority basis.

Apple stated their products are designed to quickly receive security patches and updates as soon as anything is discovered. They also said that over seventy percent of Apple users are using the latest operating systems with all the updated security patches.

Apple, like many others out there, insists their customers should use their latest operating systems to keep them safe from the many mentioned vulnerabilities in the WikiLeaks CIA dump.

Furthermore, hardware manufacturer Intel has also devised a tool that can discover an Extensible Firmware Interface (EFI) rootkit. In simple words, rootkits are meant to be undetectable and the ones we are talking about were specially designed systems running Apple’s operating systems.

EFI is the firmware introduced by Intel to replace the BIOS (Basic Input or Output System) firmware system. In addition, it has been favoured over the Unified Extensible Firmware Interface (UEFI), as well. The UEFI is a set of instructions connecting the software between the operating system and the firmware itself.

The rootkit is known as ‘Dark Matter’ and was mentioned in the ‘Der Starke’ documents published under WikiLeaks’ Vault 7 release.

According to Intel Security’s Vice President and Chief Technical Officer for Intel Security for Europe, Middle East and Africa, Raj Samani, and Strategic Threat Intelligence Researcher Christiaan Beek, said that Dark Matter consists of a large EFI components library that provides a variety of injecting options into the EFI firmware on multiple levels of its target.

“If one has generated a white list of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the Dark Matter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit,” explains Raj Samani and Christiaan Beek. “EFI firmware malware is a new frontier for stealth and persistent attacks that may be used by sophisticated adversaries to penetrate and persist within organisations and national infrastructure for a very long time.”

The Gift

So now, after scaring you into concerned mode, you must be asking what’s there to be done about the CIA-spying problem. Many might be thinking the best way of keeping hidden from the government is to avoid the internet at all costs. It may be the safest way to finish your online presence, however it’s not the best solution.

Intel Security has designed a scanner that can help you identify and report problems to your manufacturer. The ChipSec scanner is an open source framework capable of scanning for all probes and rootkits that may be present in your system. The open source framework is compatible with UEFI shell, Linux, Mac OS X and Windows, and it consists of forensic scan capabilities and a relevant security suite, helping guide you through the problem.

This article (Scan System for Implants Installed by CIA) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.com.